In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process of assessing overall risk can be difficult, and balancing resources used to mitigate risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability can often be mishandled. According to the definition of risk, the danger is the possibility that an event will occur and adversely affect the achievement of an objective. Therefore, risk itself has the uncertainty. Risk management can help managers have a good control of their threat. Every company has a different method of approach for their internal control, which leads to the diverse result for the various companies. Method For the most part, these methods consist of the following elements, performed, more or less, in the following order. 1. identify, characterize threats 2. assess the vulnerability of critical assets to specific threats 3. determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets) 4. identify ways to reduce those risks 5. prioritize risk reduction measures based on a strategy Principles of risk management The International Organization for Standardization (ISO) identifies the following principles of risk management: Risk management should: • create value – resources expended to mitigate risk should be less than the consequence of inaction • be an integral part of organizational processes • be part of decision making process • explicitly address uncertainty and assumptions • be a systematic and structured process • be based on the best available information • be tailorable • take human factors into account • be transparent and inclusive • be dynamic, repeatable and responsive to change • be capable of continual improvement and enhancement • be continually or periodically re-assessed Process The first step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, cause problems or benefits. Hence, risk identification can start with the source of our problems and those of our competitors (benefit), or with the problem itself. Source analysis – Risk sources may be internal or external to the system that is the target of risk management/mitigation. Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport. Problem analysis – Risks are related to identifiable threats. For example: the threat of losing money, the threat of abuse of confidential information or the threat of human errors, accidents and casualties. When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example: stakeholders withdrawing during a project may endanger funding of the project; confidential information may be stolen by employees even within a closed network; lightning striking an aircraft during takeoff may make all people on board immediate casualties. The chosen method of identifying risks may depend on culture, industry practice and compliance. • Objectives-based risk identification – Organizations and project teams have objectives. Any event that may endanger achieving an objective partly or completely is identified as risk. • Scenario-based risk identification – In scenario analysis different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk. • Common-risk checking – In several industries, lists with known risks are available. Each risk in the list can be checked for application to a particular situation. • Risk charting – This method combines the above approaches by listing resources (assets) at risk, threats to those resources, modifying factors which may increase or decrease the risk and consequences it is wished to avoid. Assessment Once risks have been identified, they must then be assessed as to their potential severity of impact (generally a negative impact, such as damage or loss) and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of an unlikely event, the probability of occurrence of which is unknown. Therefore, in the assessment process it is critical to make the best educated decisions in order to properly prioritize the implementation of the risk management plan. Risk Options Risk mitigation measures are usually formulated according to one or more of the following major risk options, which are: 1. Design a new business process with adequate built-in risk control and containment measures from the start. 2. Periodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measures. 3. Transfer risks to an external agency (e.g. an insurance company) 4. Avoid risks altogether (e.g. by closing down a particular high-risk business area) Potential risk treatments – Mitigation Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories: • Avoidance (eliminate, withdraw from or not become involved) • Reduction (optimize – mitigate) • Sharing (transfer – outsource or insure) • Retention (accept and budget) What is AT risk? Identifying risk factors and discussion of risk treatments is exceedingly important but identifying what is AT risk is paramount. For example, if you have no tangible assets to protect and little or no human capital at stake, perhaps the point of establishing mitigation treatments is mute. However, if you do have assets, either business or personal, at risk, your response to approaching mitigation will be focused and, generally, specific.